Top 5 Rob & Rob Videos of 2023!

Published on 27th December 2023 Author: Rob Black

When I founded Fractional CISO in 2017, I had no idea that I would, just a few years later, be founding the one-man video-short sketch comedy troupe Rob & Rob. Life works in funny ways.

Thankfully, the videos Rob & Rob has produced have proved to be popular on LinkedIn, racking up 1 million impressions in the last year! It has been a fun and gratifying way to share helpful cybersecurity and compliance information with the LinkedIn community.

Let’s take a look at the top five videos, by total views.

1. Why doesn’t the CISO report to the CEO?

Fun fact: this video was first released in 2022! Every once in a while, I like to tweak and repost old videos to see if they can reach a different or larger audience. This one was our most successful attempt.

When it was first released, it was my most popular video. Its second release in 2023 launched it to the stratosphere – over 850,000 lifetime impressions.

Obviously, this is a message that resonates in the cybersecurity community! (Alternatively, people like my wig).

CISOs want to report to the CEO, but the CEO doesn’t always want the same thing. Here are some common reasons I’ve seen.

The CEO does not want to have to manage multiple technical resources.
The CEO does not want to manage disputes between the CISO and CIO/CTO.
The CEO does not deem cyber risk to be important.
The CEO deems cyber risk to be in line with other managed risks.
The CEO does not want to have to parse cyberspeak.

2. When you take your SOC 2 to an ISO audit

Sometimes, companies that have SOC 2 decide they need (or are told by customers that they need) an ISO 27001.

Unfortunately, ISO 27001 has some pretty hefty documentation and audit requirements that SOC 2 doesn’t. ISO requires the massive Information Security Management System document, and in-person audits!

3. When you actually read the SOC 2

We might even call SOC 2 a certification in our own guide (sometimes you have to meet the people where they are), but SOC 2 in reality is an attestation. It’s just an auditor’s opinion of an organization’s cybersecurity program.

Anyone can just “get a SOC 2” even with a bad cybersecurity program! You should always read a SOC 2 report to get the full understanding of the cybersecurity program of a given vendor you are evaluating.

4. Can a software tool run your cybersecurity program?

There’s a common saying in the business world: “People don’t want to buy a shovel, they want to buy the hole.”

Well, compliance automation software vendors tend to tell customers they’re buying a hole (SOC 2), when in actuality they’re buying the shovel (the tool to help them get it).

They can be really helpful for running your compliance program – but you (or someone else at your company) will still have to do that work. If you want someone else to run your program, you’ll have to look for a different vendor, such as a Virtual CISO.

5. If cybersecurity people worked in finance

This was another one of our early-hitters that I reposted. The message carried just as well!

There is no other industry that would accept qualitative answers such as “low,” “medium,” and “high,” like cybersecurity does. It’s time we move on. Quantitative Cybersecurity Risk Assessments provide a MUCH better solution.

Thanks for Watching

It was a goal of mine to reach 10,000 followers on LinkedIn this year, which I achieved in late November.

The biggest contributor of that growth was through these videos and the insightful discussions held in the comments.

If you have been watching, thank you! If not, give me a follow! More videos will come in 2024.

Happy New Year!

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).